He said successful ERM governance must expand beyond the silo structure, facilitating communication across risk-taking functions, and consider the inter-relationship of risks.

Faust cautioned that each credit union’s risk governance structure depends upon its size and complexity. Large, complex institutions will require dedicated resources, which usually means at least one full-time risk officer.

Smaller credit unions can assign the risk officer role to someone who wears more than one hat. However, regardless of size, the ERM must maintain a sense of independence, and the designated risk chief must carry some political weight, Faust said. That means the risk officer must have a direct line to the board.

“But, we’re not talking about a whistleblower, because it should never come to that,” he said.

According to Faust, properly structured ERM governance should include a board ERM committee, a management ERM committee, and a designated chief risk officer.

The board committee births the process, overseeing the ERM framework, establishing the comprehensive risk strategy and policy statements, and conducting the annual performance evaluation of the risk officer, which keeps the position independent of the CEO and other senior managers, Faust said.

Board ERM committees should include risk representatives from other committees, such as the credit committee, and will invite both risk-averse directors as well as directors that push their credit unions to adopt new products and strategies.

The management ERM committee, which Faust described as the “working” risk committee, assists the chief risk officer in identifying and assessing material risks. Setting up a management ERM committee also helps to instill a culture of risk management throughout the credit union, he added.

Chief risk officers can come from a variety of disciplines, not necessarily just a financial or audit function, he said. Whatever a CRO’s background, the position presents a challenge to consider all risk categories.

For example, Faust said, CROs with a financial management background are often challenged to look beyond credit, market and liquidity risks. CROs with an audit background find it difficult to look beyond individual audit exceptions, “failing to see the forest for the trees,” he added.

Faust instructed the group about proper committee charters and policy statements and concluded his session with a list of challenges for credit unions developing ERM programs. He said those include a lack of board support, which often stems from a lack of education on the topic, a failure to designate one person to fill the CRO role, and a lack of effective controls.